File name:

BattMonSetup-1.16.1.1-cracked.msi

Full analysis: https://app.any.run/tasks/2b7542ee-dda0-44b0-8f9a-1f7e393bb680
Verdict: Malicious activity
Analysis date: May 30, 2024, 12:47:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bluetooth Battery Monitor Version 1.16.1.1 Installer, Author: Luculent Systems, LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bluetooth Battery Monitor., Template: Intel;1033, Revision Number: {0C546D84-2807-4B98-A6A9-35CF219E9CEB}, Create Time/Date: Sun Sep 8 23:42:54 2019, Last Saved Time/Date: Sun Sep 8 23:42:54 2019, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 0
MD5:

64C2A5C28712DDEF1F146AD9D5A79E99

SHA1:

4D83BAE83BFB5968C4E4D6F5E286AB8D6682B3F9

SHA256:

00C1388DE5F88623AC4A9B6ECD296A4009D21254C5B738EA372B0E8FBD67BF98

SSDEEP:

98304:EdtaSHCAcaVbSW18V8tOdthNDsaXd7FQMxfvrE+DtrXg3RMHp+yGvPnDZKTZz8Vq:E94X5oWrWZ3X5ps4KCNQtmuLcA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3968)
      • msiexec.exe (PID: 4004)
      • msiexec.exe (PID: 1948)

    • Creates a writable file in the system directory

      • msiexec.exe (PID: 1948)

    • Create files in the Startup directory

      • msiexec.exe (PID: 4004)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4004)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4004)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4004)

    • Creates files in the driver directory

      • msiexec.exe (PID: 1948)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 1948)
      • msiexec.exe (PID: 4004)

    • Executes as Windows Service

      • BattMonSVC.exe (PID: 1552)
      • VSSVC.exe (PID: 4084)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 4004)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 1604)
      • msiexec.exe (PID: 1948)
      • BattMonSVC.exe (PID: 1552)
      • BattMonUI.exe (PID: 2264)

    • Reads the computer name

      • msiexec.exe (PID: 4004)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 1604)
      • msiexec.exe (PID: 1948)
      • BattMonSVC.exe (PID: 1552)
      • BattMonUI.exe (PID: 2264)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4004)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 1604)
      • msiexec.exe (PID: 1948)
      • BattMonUI.exe (PID: 2264)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3968)
      • msiexec.exe (PID: 4004)
      • msiexec.exe (PID: 1948)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4004)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4004)

    • Application launched itself

      • msiexec.exe (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (93.6)
.xls | Microsoft Excel sheet (5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Bluetooth Battery Monitor Version 1.16.1.1 Installer
Author: Luculent Systems, LLC
Keywords: Installer
Comments: This installer database contains the logic and data required to install Bluetooth Battery Monitor.
Template: Intel;1033
RevisionNumber: {0C546D84-2807-4B98-A6A9-35CF219E9CEB}
CreateDate: 2019:09:08 23:42:54
ModifyDate: 2019:09:08 23:42:54
Pages: 500
Words: 2
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: None
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe battmonsvc.exe no specs battmonui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1552"C:\Program Files\Luculent Systems\Bluetooth Battery Monitor\BattMonSVC.exe"C:\Program Files\Luculent Systems\Bluetooth Battery Monitor\BattMonSVC.exeservices.exe
User:
SYSTEM
Company:
Luculent Systems, LLC
Integrity Level:
SYSTEM
Description:
Bluetooth Battery Monitor Service
Version:
1.16.1.1
Modules
Images
c:\program files\luculent systems\bluetooth battery monitor\battmonsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
1604C:\Windows\system32\MsiExec.exe -Embedding 76AC12DDCB57DE47D4E663FCDFA5700EC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1948C:\Windows\system32\MsiExec.exe -Embedding 43003CDCA12731B4DCA8537F997D6EBD E Global\MSI0000C:\Windows\System32\msiexec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2264"C:\Program Files\Luculent Systems\Bluetooth Battery Monitor\BattMonUI.exe" -i -oC:\Program Files\Luculent Systems\Bluetooth Battery Monitor\BattMonUI.exe
msiexec.exe
User:
admin
Company:
Luculent Systems, LLC
Integrity Level:
MEDIUM
Description:
Bluetooth Battery Monitor User Interface
Version:
1.16.1.1
Modules
Images
c:\program files\luculent systems\bluetooth battery monitor\battmonui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\luculent systems\bluetooth battery monitor\qt5network.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\luculent systems\bluetooth battery monitor\qt5core.dll
3968"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\BattMonSetup-1.16.1.1-cracked.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4004C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4044C:\Windows\system32\MsiExec.exe -Embedding E1C156744DCF1586C01B18A38142F5A0 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4084C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
6 030
Read events
5 712
Write events
304
Delete events
14

Modification events

(PID) Process:(4004) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
400000000000000068DF648A8FB2DA01A40F0000F00F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4004) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
400000000000000068DF648A8FB2DA01A40F0000F00F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4004) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(4004) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000F0242D8B8FB2DA01A40F0000F00F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4004) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004A872F8B8FB2DA01A40F000044080000E80300000100000000000000000000001BD57E896401194DA27C3EF07F02E8360000000000000000
(PID) Process:(4084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B210398B8FB2DA01F40F000050070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B210398B8FB2DA01F40F000018080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B210398B8FB2DA01F40F0000FC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B210398B8FB2DA01F40F000074010000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000000C733B8B8FB2DA01F40F000074010000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
72
Suspicious files
11
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
4004msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4004msiexec.exeC:\Windows\Installer\106c39.msi
MD5:
SHA256:
4004msiexec.exeC:\Windows\Installer\MSI7274.tmpexecutable
MD5:62773CC6362C7E1C49F4EF6E053B94D6
SHA256:44D053842BE0BBF7BD3016F38E03A6552EEEBA8C4E1C904B71C054E51CE57B41
4004msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{897ed51b-0164-4d19-a27c-3ef07f02e836}_OnDiskSnapshotPropbinary
MD5:9B621175ED660FB8D468A9DF08B78D2F
SHA256:D449A04777B8B3A5BB95AF17A2E31412D6F2F4E20F8E767C3D8974AE26A67B9C
3968msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4112.tmpexecutable
MD5:62773CC6362C7E1C49F4EF6E053B94D6
SHA256:44D053842BE0BBF7BD3016F38E03A6552EEEBA8C4E1C904B71C054E51CE57B41
4004msiexec.exeC:\Windows\Installer\MSI7224.tmpexecutable
MD5:62773CC6362C7E1C49F4EF6E053B94D6
SHA256:44D053842BE0BBF7BD3016F38E03A6552EEEBA8C4E1C904B71C054E51CE57B41
4004msiexec.exeC:\Windows\Installer\106c3a.ipibinary
MD5:83FA116D0297CC12772920AE172BA63B
SHA256:D262F3A5E62DB2331E85E8DFA87F5EC1E8BDC4EFE76499A07A0F15F096B0BCA6
4004msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFA9C6818573EE3838.TMPbinary
MD5:BF0D25D79F6A3DA18C5BC4A13FDA34D7
SHA256:AAF165C8F9247A5370ED5BE8D770DE50C26551A8D679072E2581BF53C1D5BEF4
4004msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:9B621175ED660FB8D468A9DF08B78D2F
SHA256:D449A04777B8B3A5BB95AF17A2E31412D6F2F4E20F8E767C3D8974AE26A67B9C
4004msiexec.exeC:\Program Files\Luculent Systems\Bluetooth Battery Monitor\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:50FEE042CEE2A4AABA502D2F5087AE70
SHA256:656D1B11A6242142B9B289445FBE7617AD9B5F6FCF47AD6983FF09194C867BBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
msiexec.exe
WdfCoInstaller: [05/30/2024 13:47.45.153] ReadComponents: WdfSection for Driver Service BattMonFltr using KMDF lib version Major 0x1, minor 0x9
BattMonUI.exe
QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BattMonSetup-1.16.1.1-cracked.msi